New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Qubes Management API methods #2622

Open
woju opened this Issue Feb 8, 2017 · 2 comments

Comments

Projects
None yet
3 participants
@woju
Member

woju commented Feb 8, 2017

  • mgmt.property.List
  • mgmt.property.Get
  • mgmt.property.Help
  • mgmt.property.Reset
  • mgmt.property.Set
  • mgmt.property.Set
  • mgmt.vmclass.List
  • mgmt.vm.List
  • mgmt.vm.Create.<class>
  • mgmt.vm.CreateInPool.<class>
  • mgmt.vm.property.List
  • mgmt.vm.property.Get
  • mgmt.vm.property.Help
  • mgmt.vm.property.Reset
  • mgmt.vm.feature.List
  • mgmt.vm.feature.Get
  • mgmt.vm.feature.CheckWithTemplate
  • mgmt.vm.feature.Remove
  • mgmt.vm.feature.Set
  • mgmt.vm.tag.List
  • mgmt.vm.tag.Get
  • mgmt.vm.tag.Remove
  • mgmt.vm.tag.Set
  • mgmt.vm.firewall.Get
  • mgmt.vm.firewall.Set
  • mgmt.vm.firewall.Reload
  • mgmt.vm.device.<class>.Attach
  • mgmt.vm.device.<class>.Detach
  • mgmt.vm.device.<class>.List
  • mgmt.vm.device.<class>.Available
  • mgmt.pool.ListDrivers
  • mgmt.pool.List
  • mgmt.pool.Info
  • mgmt.pool.Add
  • mgmt.pool.Remove
  • mgmt.pool.volume.List
  • mgmt.pool.volume.Info
  • mgmt.pool.volume.ListSnapshots
  • mgmt.pool.volume.Snapshot
  • mgmt.pool.volume.Revert
  • mgmt.pool.volume.Resize
  • mgmt.vm.volume.List
  • mgmt.vm.volume.Info
  • mgmt.vm.volume.ListSnapshots
  • mgmt.vm.volume.Snapshot
  • mgmt.vm.volume.Revert
  • mgmt.vm.volume.Resize
  • mgmt.vm.volume.Import
  • mgmt.vm.volume.CloneFrom
  • mgmt.vm.volume.CloneTo
  • mgmt.vm.Start
  • mgmt.vm.Shutdown
  • mgmt.vm.Pause
  • mgmt.vm.Unpause
  • mgmt.vm.Kill
  • mgmt.label.List
  • mgmt.label.Get
  • mgmt.label.Create
  • mgmt.label.Remove
  • mgmt.backup.Execute
  • mgmt.backup.Info
  • mgmt.Events

@woju woju added C: core task labels Feb 8, 2017

@woju woju added this to the Release 4.0 milestone Feb 8, 2017

@woju woju self-assigned this Feb 8, 2017

@woju

This comment has been minimized.

Show comment
Hide comment
Member

woju commented Feb 8, 2017

For documentation see https://www.qubes-os.org/doc/mgmt1/.

Cc: @marmarek

@woju woju added the C: mgmt label Feb 8, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 10, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 10, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 10, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 10, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 15, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 15, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 21, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 21, 2017

qubes/events: they accept only keyword arguments
Positional arguments are hereby deprecated, with immediate effect.

QubesOS/qubes-issues#2622

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 21, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Feb 21, 2017

qubes/events: they accept only keyword arguments
Positional arguments are hereby deprecated, with immediate effect.

QubesOS/qubes-issues#2622

woju added a commit to woju/qubes-core-admin that referenced this issue Mar 1, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Mar 1, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 9, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 15, 2017

mgmt: encode property type in property.Get
This also require having property.type public.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 15, 2017

mgmt: implement mgmt.vm.property.Set
Sanitization of input value is tricky here, and also very important at
the same time. If property define value type (and it's something more
specific than 'str'), use that. Otherwise allow only printable ASCII
characters, and let appropriate event and setter handle value.
At this point I've reviewed all QubesVM properties in this category and
added appropriate setters where needed.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 15, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 16, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 16, 2017

mgmt: encode property type in property.Get
This also require having property.type public.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 16, 2017

mgmt: implement mgmt.vm.property.Set
Sanitization of input value is tricky here, and also very important at
the same time. If property define value type (and it's something more
specific than 'str'), use that. Otherwise allow only printable ASCII
characters, and let appropriate event and setter handle value.
At this point I've reviewed all QubesVM properties in this category and
added appropriate setters where needed.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 16, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 16, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 16, 2017

mgmt: drop ProtocolRepr
Since we've added type= argument to property.Get format, it isn't
useful anymore.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 17, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 28, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 28, 2017

vm: move validate_name to qubes/vm
This will be needed by VMProperty class in the next commit.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 28, 2017

mgmt: move property value sanitization to property definition
This also means we don't check if a VM with given name (in case of
VMProperty) exists in the system, at this stage. But this is ok, lets
not duplicate work of property setter.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 28, 2017

vm: move validate_name to qubes/vm
This will be needed by VMProperty class in the next commit.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 28, 2017

mgmt: move property value sanitization to property definition
This also means we don't check if a VM with given name (in case of
VMProperty) exists in the system, at this stage. But this is ok, lets
not duplicate work of property setter.

QubesOS/qubes-issues#2622

woju added a commit to woju/qubes-core-admin that referenced this issue Mar 31, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Mar 31, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Mar 31, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Mar 31, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Mar 31, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue Mar 31, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue May 25, 2017

admin: implement admin.vm.volume.Import
Implement this in two parts:
1. Permissions checks, getting a path from appropriate storage pool
2. Actual data import

The first part is done by qubesd in a standard way, but then, instead of
accepting all the data (which may be several GB), return a path to which
a shell script (in practice: `dd` command) will write the data.
Then the script call back to qubesd again to report success/failure and
qubesd response from that call is actually returned to the user.

This way we do not pass all the data through qubesd, but still can
control the process from there in a meaningful way. Note that the last
part (second call to qubesd) may perform all kind of verification (like
a signature check on the data, or so) and can also prevent VM from
starting (hooking also domain-pre-start event) from not verified image.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue May 25, 2017

admin-api: fix handling admin.vm.property.Set with None VM value
Setting VMProperty to None VM should be encoded as '' value (according
to VMProperty._none_value). But value validation rejected this value.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue May 26, 2017

admin: implement admin.vm.volume.Import
Implement this in two parts:
1. Permissions checks, getting a path from appropriate storage pool
2. Actual data import

The first part is done by qubesd in a standard way, but then, instead of
accepting all the data (which may be several GB), return a path to which
a shell script (in practice: `dd` command) will write the data.
Then the script call back to qubesd again to report success/failure and
qubesd response from that call is actually returned to the user.

This way we do not pass all the data through qubesd, but still can
control the process from there in a meaningful way. Note that the last
part (second call to qubesd) may perform all kind of verification (like
a signature check on the data, or so) and can also prevent VM from
starting (hooking also domain-pre-start event) from not verified image.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue May 26, 2017

admin-api: fix handling admin.vm.property.Set with None VM value
Setting VMProperty to None VM should be encoded as '' value (according
to VMProperty._none_value). But value validation rejected this value.

QubesOS/qubes-issues#2622

woju added a commit to woju/qubes-core-admin-client that referenced this issue May 29, 2017

app: close payload_stream in qubesd_call
This is to prevent leaking file descriptors.

QubesOS/qubes-issues#2622

woju added a commit to woju/qubes-core-admin that referenced this issue May 29, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue May 29, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue May 29, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue May 29, 2017

woju added a commit to woju/qubes-core-admin that referenced this issue May 30, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 3, 2017

vm: change kernel=None to kernel=''
vm.kernel property have type 'str'. Putting None there makes a lot of
troubles: it gets encoded as 'None' in qubes.xml and then loaded back as
'None' string, not None value. Also it isn't possible to assign None
value to str property throgh Admin API.

kernel='' is equally good to specify "no kernel from dom0".

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 3, 2017

vm: change kernel=None to kernel=''
vm.kernel property have type 'str'. Putting None there makes a lot of
troubles: it gets encoded as 'None' in qubes.xml and then loaded back as
'None' string, not None value. Also it isn't possible to assign None
value to str property throgh Admin API.

kernel='' is equally good to specify "no kernel from dom0".

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 3, 2017

vm: change kernel=None to kernel=''
vm.kernel property have type 'str'. Putting None there makes a lot of
troubles: it gets encoded as 'None' in qubes.xml and then loaded back as
'None' string, not None value. Also it isn't possible to assign None
value to str property throgh Admin API.

kernel='' is equally good to specify "no kernel from dom0".

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 3, 2017

vm: change kernel=None to kernel=''
vm.kernel property have type 'str'. Putting None there makes a lot of
troubles: it gets encoded as 'None' in qubes.xml and then loaded back as
'None' string, not None value. Also it isn't possible to assign None
value to str property throgh Admin API.

kernel='' is equally good to specify "no kernel from dom0".

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 3, 2017

vm: change kernel=None to kernel=''
vm.kernel property have type 'str'. Putting None there makes a lot of
troubles: it gets encoded as 'None' in qubes.xml and then loaded back as
'None' string, not None value. Also it isn't possible to assign None
value to str property throgh Admin API.

kernel='' is equally good to specify "no kernel from dom0".

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 5, 2017

vm: change kernel=None to kernel=''
vm.kernel property have type 'str'. Putting None there makes a lot of
troubles: it gets encoded as 'None' in qubes.xml and then loaded back as
'None' string, not None value. Also it isn't possible to assign None
value to str property throgh Admin API.

kernel='' is equally good to specify "no kernel from dom0".

QubesOS/qubes-issues#2622

woju added a commit to woju/qubes-core-admin-client that referenced this issue Jun 8, 2017

app: close payload_stream in qubesd_call
This is to prevent leaking file descriptors.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

storage: add volume clone method
Clone volume without retrieving all the data.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

Implement VM clone as create + copy data+metadata
This way we don't need separate admin.vm.Clone call, which is tricky to
handler properly with policy.
A VM may not have access to all the properties and other metadata, so
add ignore_errors argument, for best-effort approach (copy what is
possible). In any case, failure of cloning VM data fails the whole
operation.
When operation fails, VM is removed.

While at it, allow to specify alternative VM class - this allows
morphing one VM into another (for example AppVM -> StandaloneVM).

Adjust qvm-clone tool and tests accordingly.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 19, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 19, 2017

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

storage: add volume clone method
Clone volume without retrieving all the data.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

Implement VM clone as create + copy data+metadata
This way we don't need separate admin.vm.Clone call, which is tricky to
handler properly with policy.
A VM may not have access to all the properties and other metadata, so
add ignore_errors argument, for best-effort approach (copy what is
possible). In any case, failure of cloning VM data fails the whole
operation.
When operation fails, VM is removed.

While at it, allow to specify alternative VM class - this allows
morphing one VM into another (for example AppVM -> StandaloneVM).

Adjust qvm-clone tool and tests accordingly.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

storage: add volume clone method
Clone volume without retrieving all the data.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

Implement VM clone as create + copy data+metadata
This way we don't need separate admin.vm.Clone call, which is tricky to
handler properly with policy.
A VM may not have access to all the properties and other metadata, so
add ignore_errors argument, for best-effort approach (copy what is
possible). In any case, failure of cloning VM data fails the whole
operation.
When operation fails, VM is removed.

While at it, allow to specify alternative VM class - this allows
morphing one VM into another (for example AppVM -> StandaloneVM).

Adjust qvm-clone tool and tests accordingly.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

storage: add volume clone method
Clone volume without retrieving all the data.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 19, 2017

Implement VM clone as create + copy data+metadata
This way we don't need separate admin.vm.Clone call, which is tricky to
handler properly with policy.
A VM may not have access to all the properties and other metadata, so
add ignore_errors argument, for best-effort approach (copy what is
possible). In any case, failure of cloning VM data fails the whole
operation.
When operation fails, VM is removed.

While at it, allow to specify alternative VM class - this allows
morphing one VM into another (for example AppVM -> StandaloneVM).

Adjust qvm-clone tool and tests accordingly.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 26, 2017

api/admin: skip firewall in vm.Clone
This operation is going to be removed, so apply a quick fix for tests.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 26, 2017

qubes: validate if property value consists of ASCII only earlier
Do this for all standard property types - even if other types do
additional validation, do not expose them to non-ASCII characters.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 26, 2017

api/admin: firewall-related methods
In the end firewall is implemented as .Get and .Set rules, with policy
statically set to 'drop'. This way allow atomic firewall updates.

Since we already have appropriate firewall format handling in
qubes.firewall module - reuse it from there, but adjust the code to be
prepared for potentially malicious input. And also mark such variables
with untrusted_ prefix.

There is also third method: .Reload - which cause firewall reload
without making any change.

QubesOS/qubes-issues#2622
Fixes QubesOS/qubes-issues#2869

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 26, 2017

api/admin: remove admin.vm.Clone operation
The same can be achieved with Create+volume.Clone

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 26, 2017

api/admin: split vm.volume.Clone to CloneFrom and CloneTo
The first operation returns a token, which can be passed to the second
one to actually perform clone operation. This way the caller needs have
power over both source and destination VMs (or at least appropriate
volumes), so it's easier to enforce appropriate qrexec policy.

The pending tokens are stored on Qubes() instance (as QubesAdminAPI is
not persistent). It is design choice to keep them in RAM only - those
are one time use and this way restarting qubesd is a simple way to
invalidate all of them. Otherwise we'd need some additional calls like
CloneCancel or such.

QubesOS/qubes-issues#2622

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 26, 2017

api/admin: split vm.volume.Clone to CloneFrom and CloneTo
The first operation returns a token, which can be passed to the second
one to actually perform clone operation. This way the caller needs have
power over both source and destination VMs (or at least appropriate
volumes), so it's easier to enforce appropriate qrexec policy.

The pending tokens are stored on Qubes() instance (as QubesAdminAPI is
not persistent). It is design choice to keep them in RAM only - those
are one time use and this way restarting qubesd is a simple way to
invalidate all of them. Otherwise we'd need some additional calls like
CloneCancel or such.

QubesOS/qubes-issues#2622
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 7, 2017

Member

I'm going to ignore admin.pool.volume.* for Qubes 4.0, since we don't need them now (there are admin.vm.volume.* equivalent). But keep it in specification and implement when we will have use case for them.

So, for now, only backup-related calls are missing.

Member

marmarek commented Jul 7, 2017

I'm going to ignore admin.pool.volume.* for Qubes 4.0, since we don't need them now (there are admin.vm.volume.* equivalent). But keep it in specification and implement when we will have use case for them.

So, for now, only backup-related calls are missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment